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ABSTRACT 


Information  technology  (IT)  is  an  essential  part  of  any  military  action.  It  is 
used  to  accomplish  all  operational  functions  and  through  all  stages  of  the 
employment  of  forces  in  peacetime  and  in  war.  It  has  a  positive  effect  on  the  use 
of  space  and  time.  The  U.S.  military  increasingly  relies  upon  the  force  multiplier 
effect  yielded  by  technological  superiority  and  plans  to  conduct  information 
warfare  (IW)  in  future  conflicts  to  minimize  exposure  and  risk  to  forces.  Despite 
the  clear  advantages  that  IT  and  IW  can  create  for  the  combatant  commander, 
their  use  is  not  risk  free.  Heavy  dependence  on  IT  yields  a  target  rich 
environment  for  any  adversary  wishing  to  conduct  his  own  IW  campaign.  Current 
developments  in  doctrine  for  IW  do  not  adequately  focus  on  the  potential 
ramifications  of  IW  and  fail  to  highlight  the  criticality  of  the  function  of  defensive 
IW  (IW-D)  and  the  operational  protection  of  our  extended  IT  infrastructure. 

The  challenges  presented  by  U.S.  investment  in  and  reliance  upon  IT  and 
the  intent  to  use  offensive  IW  (IW-0)  in  future  conflicts  require  thoughtful, 
methodical  approaches  to  minimizing  the  risk  entailed.  This  paper  provides  the 
combatant  commander,  and  subordinate  commanders,  with  a  background  for 
appreciating  our  IW/IT  vulnerabilities.  It  begins  by  considering  the  elements  of 
IW  and  the  vulnerable  elements  in  our  IT  infrastructure.  A  general  discussion  of 
the  concept  of  operational  protection  and  the  IT  and  IW  assets  requiring 
protection  in  theater  and  at  the  strategic  level  follows.  General  threats  to  these 
systems  are  described.  The  paper  concludes  by  proposing  the  use  of 
Operational  Risk  Management  (ORM)  for  developing  and  implementing  an 
effective  strategy  of  operational  protection  for  IW  and  IT  assets.  It  suggests  an 
approach  to  tie  these  concepts  together  into  a  rational  plan  for  minimizing  risk 
and  maximizing  the  commander’s  probability  that  he  will  indeed  win  the 
information  war. 
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Introduction 


Information  Warfare  has  emerged  as  a  key  joint  warfighting 
mission  area.  The  explosive  proliferation  of  information-based 
technology  significantly  impacts  warfighting  across  all 
phases,  the  range  of  military  operations,  and  all  levels  of  war.' 

-  General  John  M.  Shalikashvili 

Information  technology  (IT)  is  an  essential  part  of  any  military  action.  It  is 
used  to  accomplish  all  operational  functions  and  through  all  stages  of  the 
employment  of  forces  in  peacetime  and  in  war.  It  has  a  positive  effect  on  the  use 
of  space  and  time.  The  U.S.  military  increasingly  relies  upon  the  force  multiplier 
effect  yielded  by  technological  superiority  and  plans  to  conduct  information 
warfare  (IW)  in  future  conflicts  to  minimize  exposure  and  risk  to  forces.  Despite 
the  clear  advantages  that  IT  and  IW  can  create  for  the  combatant  commander, 
their  use  is  not  risk  free.  Heavy  dependence  on  IT  yields  a  target  rich 
environment  for  any  adversary  wishing  to  conduct  his  own  IW  campaign.  Current 
developments  in  doctrine  for  IW  do  not  adequately  focus  on  the  potential 
ramifications  of  IW  and  fail  to  highlight  the  criticality  of  the  function  of  defensive 
IW  (IW-D)  and  the  operational  protection  of  our  extended  IT  infrastructure. 

The  challenges  presented  by  the  investment  in  and  reliance  upon  IT  and 
the  intent  to  use  offensive  IW  (IW-0)  in  future  conflicts  require  thoughtful, 
methodical  approaches  to  minimizing  the  risk  entailed.  This  paper  provides  the 
combatant  commander,  and  subordinate  commanders,  with  a  background  for 
appreciating  such  IW/IT  vulnerabilities.  It  begins  by  considering  the  elements  of 
IW  and  the  vulnerable  elements  in  the  IT  infrastructure.  A  general  discussion  of 
the  concept  of  operational  protection  and  the  IT  and  IW  assets  requiring 
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protection  in  theater  and  at  the  strategic  level  follov\/s.  Threats  to  these  systems 
are  described.  The  paper  concludes  by  proposing  the  use  of  Operational  Risk 
Management  (ORM)  for  developing  and  implementing  an  effective  strategy  of 
operational  protection  for  IW  and  IT  assets.  Its  approach  ties  these  concepts 
together  into  a  rational  plan  for  minimizing  risk  and  maximizing  the  commander’s 
probability  that  he  will  indeed  win  the  information  war. 

Background 

Long  ago  the  United  States’  use  of  IT  passed  the  threshold  that  defines  its 
continued,  reliable  function  as  a  vital  interest.  Commercial  systems  are  essential 
to  socio-economic  well  being  and  to  defense.  Transactions  across  financial 
networks,  transmissions  across  voice  and  data  circuits,  automated  control  of  air 
and  rail  transport  systems... these  are  just  a  few  examples  of  publicly  controlled 
IT  that  are  both  essential  to  commerce  and  integrated  with  defense  systems  to 
support  military  communications,  logistics  and  administration.  The  leverage 
gained  from  information  systems  is  countered  by  the  vulnerabilities  created  by 
that  dependence.  National  security,  in  the  broadest  sense  of  the  term,  relies  on 
the  integrity  of  our  information  and  information  processes. 

The  1996  National  Security  Strategy  recognizes  the  key  roles  of  IT  and 
the  National  Information  Infrastructure  (Nil),  the  “electronic  superhighway.”  It 
cites  “threat  of  intrusions  to  our  military  and  commercial  information  systems”  as 
significant  risks.^  The  National  Military  Strategy  notes  the  “remarkable  leverage 
attainable  from  modern  reconnaissance,  intelligence  collection  and  analysis,  and 
high-speed  data  processing  and  transmission”  and  highlights  the  combatant 
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commander’s  need  for  fused  information  systems^  Fighting  and  winning  the 
information  war  is  a  clear  objective  for  U.S.  forces. 

All  four  services  are  developing  IW  doctrine  based  on  Operation  Desert 
Storm’s  IW  success.  The  focus  is  on  IW-O  with  an  additional  charge  to  prevent 
the  enemy’s  successful  conduct  of  IW  against  friendly  forces.  This  focus  is 
backwards.  IW-D  is  more  important  to  our  military  operations  than  IW-O.  The 
old  saw  ‘the  best  defense  is  a  good  offense’  holds  true  only  if  the  offense  is 
focused  on  combating  threats  to  our  own  IT  investment.  Stephen  Kent,  chief 
scientist  for  security  technology,  Bolt  Beranek  and  Newman,  Inc.,  captures  the 
essence  of  the  problem,  “In  information  warfare,  offensive  forces  have  an 
enormous  advantage  over  defensive  forces.”^  Single  micro-computers  with 
modems  and  readily  available  software  can  attack  entire  networks.  Accepted 
defense-to-offense  ratios  simply  do  not  apply.  The  extended  infrastructure  is  like 
an  overextended  front  line  -  extremely  vulnerable  to  attack  and  needing 
reinforcement.  The  operational  commander  must  deliberately  act  to  minimize  the 
risk  that  essential  information  systems  will  fail  or  will  succumb  to  attack  at  a 
pivotal  moment.  This  process  must  start  long  before  any  crisis  erupts  to  call  the 
military  into  action.  It  is  one  for  consideration  by  any  erstwhile  operational 
commander  before  the  mantle  of  theater  command  is  cast  his  direction. 

IW  -  What  is  It? 

Because  IW  is  relatively  young,  there  is  no  single  accepted  definition. 
Some  argue  that  it  comprises  any  use  of  information  systems  to  gain  an 
advantage  in  war.  This  includes  the  administrative  use  of  computers  for 
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processing  logistics  or  reports  and  is  too  broad.  Others  limit  IW  to  the  several 
areas  that  are  sufficiently  developed  to  have  accepted  doctrine  such  as 
command  and  control  warfare  (C2W)  and  psychological  operations  (PSYOPS.) 
Confusing  the  issue  further  is  the  valid  point  that  IW  is  not  limited  to  the  military 
sphere  or  to  conduct  by  military  forces.  Indeed,  IW  “spans  the  spectrum  of 
political,  economic,  physical  and  military  activities..®  In  the  extended  context,  the 
term  “information  operations”  is  now  in  vogue. 

The  military  definition  of  IW  describes  the  “actions  taken  to  achieve 
information  superiority  by  affecting  adversary  information,  information-based 
processes,  information  systems,  and  computer-based  networks  while  defending 
one’s  own  information,  information-based  processes,  information  systems,  and 
computer-based  networks.”®  It  does  not  consider  as  IW  assets  all  of  the  systems 
that  IW-D  is  expected  to  defend  (e.g.  inventory  tracking  systems  or  personnel 
administration  systems.)^  The  commander’s  plan  for  conducting  IW-D  must 
consider  all  IT  assets  upon  which  he  relies  to  gain  information  superiority. 
Strategically,  the  IW  battlespace  extends  outside  of  the  theater.  Comprehensive 
IW-D  relies  upon  actions  taken  by  other  agencies  and  by  commercial  industry. 
The  IW  Battlespace 

The  total  IW  battlespace  literally  spans  the  globe.  Agents  may  be  nations, 
political  groups,  coalitions,  religious  groups  or  military  groups.  Interactions  range 
from  cooperation  through  competition  to  conflict  and  ultimately  war.®  From  the 
operational  commander’s  perspective,  the  IW  battlespace  is  focused  within  the 
theater  of  operations.  It  comprises  his  potential  IW-0  targets  and  the  command. 
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control,  communications,  computers,  intelligence,  surveillance  and 
reconnaissance  (C4ISR)  systems  and  general-purpose  information  systems  used 
by  his  staff  and  assigned  forces.  The  full  suite  of  C4ISR  and  information  systems 
includes  those  used  to  prosecute  IW-0  and  those  used  for  staff  support.  Both 
subsets  are  potential  targets  for  the  enemy.  IT  assets  outside  of  the  theater  of 
operations  connect  the  operational  commander  to  additional  support  elements 
and  to  senior  commands.  He  depends  on  their  reliability  and  must  understand 
their  vulnerability. 

Intra-theater 

IT  assets  inside  the  theater  are  either  stand-alone  systems  or  networked 
systems.  Stand-alones  do  require  protection  from  enemy  IW-0,  but  the  problem 
is  much  simpler  than  for  networked  systems.  Physical  protection,  emanations 
security,  procedures  standardization  and  user  education  are  typically  sufficient 
safeguards  for  stand-alone  devices.  Enforcement  of  standards  and  procedures 
is  key  to  protecting  the  information  processed  on  them.®  Devices  relying  upon 
active  emissions  to  perform  their  missions,  such  as  air  defense  radar,  require 
additional  defense  elements  which  may  be  an  integral  part  of  the  systems. 

Networked  systems  expand  the  problem  of  system  security.  They 
typically  have  a  larger  footprint  (/.e.  they  are  spread  out,  possibly  between 
facilities,  trailers  or  buildings,)  more  personnel  involved  in  their  operation,  more 
access  points  (and  signals  emanation  points,)  and  process  higher  volumes  of 
data.  Additionally,  staffs  tend  to  depend  more  heavily  upon  networked  systems 
due  to  the  inherent  advantages  of  data  and  process  sharing  and  communications 
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facilitation.  A  networked  IT  system  solely  used  in  a  single  controlled  locale  is 
commonly  referred  to  as  a  local  area  network  (LAN).  LAN  protection  is  an 
expanded  problem,  but  it  is  essentially  the  same  as  that  for  stand-alone  systems. 

Unfortunately  (for  those  tasked  with  providing  systems  security), 
networked  systems  are  not  usually  contained  within  a  controlled  locale.  They 
extend  throughout  the  theater  into  wide  area  networks  (WANs)  covering  many 
kilometers  over  various  media.  This  extended  connectivity  allows  the 
commander  to  gain  a  better  view  of  theater  operations,  share  information  with 
assigned  forces,  and  allows  various  sensor  and  weapons  systems  to  share  data. 
This  connectivity  is  a  linchpin  in  the  process  of  securing  information  superiority. 

It  is  also  a  key  target  for  C2W,  one  of  the  pillars  of  IW-0. 

Extra-theater 

The  operational  commander’s  WANs  and  some  LANs  will  be  connected  to 
systems  outside  of  the  theater  of  operations.  He  will  also  control  some  individual 
systems  that  are  local  connections  to  someone  else’s  network.  These 
connections  tie  him  into  the  Defense  Information  Infrastructure  (Dll).  The  Dll  is 
operated  as  “a  utility  to  support  war  fighting,  intelligence  and  business 
functions  and  is  a  subset  of  the  National  Information  Infrastructure  (NII).^’ 
Classified  sections  of  the  Dll  are  covered  by  traditional  protection  afforded  by 
encryption  and  access  control.  This  may  protect  data  held  and  processed  on  the 
Dll,  but  it  does  not  guarantee  the  Dll’s  security.  The  Dll  depends  on  reliable 
function  of  the  U.S.  power  grid  and  public  switched  telecommunications.  Over 
95%  of  the  Dll  voice  and  data  traffic  travels  on  the  public  telephone  system.^^ 
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Unclassified  defense  systems  (including  most  logistics  systems)  are  connected 
to  commercial  systems  that  are  connected  to  other  systems.  The  intimate 
existence  of  the  Dll  with  commercial  systems  increases  its  vulnerability.^^  A 
successful  IW  attack  on  unprotected  civilian  infrastructure  assets  could  render 
defense  systems  temporarily  disabled  or  decrease  their  reliability  to  the  point 
where  they  are  effectively  disabled. 

Does  IT  Need  Operational  Protection  or  Strategic  Protection? 

Government  and  commercial  computer  systems  are  so  poorly 
protected  today  that  they  can  essentially  be  considered 
defenseless  -  an  electronic  Pearl  Harbor  waiting  to  happen.^^ 

-  Winn  Schwartau 

“Protecting  one’s  own  and  friendly  forces  from  a  wide  range  of  threats  is 
one  of  the  commander’s  most  important  responsibilities.’’^®  It  is  intended  to 
ensure  that  when  the  decisive  time  and  place  coincide,  friendly  forces  and  assets 
are  ready  for  employment.  It  entails  deliberate  efforts  to  counter  the  enemy’s 
maneuver  and  firepower  by  making  forces  and  assets  difficult  to  locate,  strike 
and  destroy.  It  includes  protecting  forces  and  assets  against  natural  disasters. 
For  assets  that  are  complex  systems,  it  must  also  protect  against  human  error 
and  accident.  The  operational  commander’s  task  is  complicated  by  the  fact  that 
the  function  of  his  IT  assets  involves  lines  of  communication  (LOCs)  reaching 
from  his  tactical  forces  back  to  information  assets  in  the  United  States.’® 
Clausewitz’s  advice  that  lines  of  communication  “must  not  be  permanently  cut, 
nor  must  they  be  too  long  or  difficult  to  use”’®  is  fair  warning  to  the  operational 
commander  that  he  must  understand  how  his  LOCs  function  and  how  well  they 
are  protected. 
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The  failure  to  provide  adequate  strategic  protection  to  IT  assets  is  real. 

The  July  15,  1996  Executive  Order  establishing  the  President's  Commission  on 
Critical  Infrastructure  Protection  is  a  step  in  the  right  direction.  Critical  assets 
include  telecommunications,  electrical  power  systems,  gas  and  oil  storage  and 
transportation,  and  banking  and  finance.  The  executive  order  identified  both 
physical  threats  and  “cyber  threats”  against  which  the  commission  was  tasked  to 
develop  a  strategy  of  defense  ensuring  that  the  government  and  private  sectors 
work  together  because  of  the  extensive  integration  of  systems  and  interests.^^ 

The  efforts  of  the  commission  are  outside  of  the  operational  commander’s 
direct  purview.  Nonetheless,  understanding  that  the  risk  to  his  IT  LOCs  extends 
back  to  the  homefront,  he  will  be  better  able  to  judge  the  robustness  of  the 
information  architecture  on  which  he  relies  and  develop  his  own  plan  for 
operational  protection. 

At  the  operational  level  two  factors  drive  the  requirement  for  operational 
protection  of  IT  assets,  their  value  and  the  threat  environment.  A  third  factor,  the 
capability  to  provide  an  effective  defense,  will  influence  the  commander’s 
approach  depending  upon  the  specific  asset/threat  combination. 

Value  of  IT  and  IW  assets 

IT  brings  tremendous  value  to  the  operational  commander’s  table.  Its 
ability  to  synthesize  intelligence  and  surveillance  data  into  a  fused  picture 
enhances  the  commander’s  ability  to  achieve  solid  awareness  of  the  activity 
within  the  battlespace  and  to  ascertain  the  strengths  and  weaknesses  of  his 
adversary.  The  ability  to  communicate  graphically  and  verbally  with  levels 
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above,  below,  and  across,  helps  maintain  synchronization  and  control,  and 
minimizes  confusion.  IW-0  assets  such  as  sensors  and  weapons  guidance 
systems  provide  indications  and  warnings  of  attack  and  allow  precision  strike.  Of 
particular  importance  to  the  commander  are  his  C2  Support  (C2S)  Systems. 

The  commander  relies  extensively  upon  his  C2S  systems  to  enable  him  to 
accomplish  the  functions  of  C2.  C2S  systems  must  reliably  provide  information 
that  is  relevant,  essential,  timely  and  in  quickly  understandable  and  usable  form. 
An  electronic  extension  of  the  commander’s  thought  process,  they  allow  him  to 
stay  ahead  of  his  adversary  in  the  decision  cycle.  They  are  his  principle  tool  to 
collect,  transport,  process  and  disseminate  information.^^  Essential  to  success, 
they  are  the  IT  assets  most  keenly  targeted  by  C2W,  the  “anti-head,  anti-neck” 
attack  and  the  most  developed  form  of  IW-O.  Targeted  at  breaking  down  the 
military  leader’s  decision  capability,  C2W  yields  the  highest  IW-0  pay-off.^^ 

What  happens  when  these  systems  are  degraded?  A  study  conducted  at 
the  Naval  Postgraduate  School  in  1994  demonstrated  how  degradation  of 
information  flow  directly  affects  mission  accomplishment.  By  slowing  information 
transfers  about  adversary  movements  or  about  partner  movements,  both  mission 
accomplishment  and  rate  of  mission  accomplishment  were  reduced.  The  impact 
was  especially  clear  for  operations  crossing  boundaries  between  operational 
areas.  Slowing  both  information  transfers  did  not  yield  a  sum  of  their  individual 
effects  -  the  impact  was  was  magnified.^'*  The  simulated  effect  was  a  slow-down 
of  the  decision  cycle  and  increasing  uncertainty.  The  same  effect  taking  place  in 
reality  is  unacceptable. 
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Threats  to  IT  Assets 

Clausewitz  cautions  the  commander  who  forays  deep  into  enemy  territory 
that  he  will  have  “very  long  and  vulnerable  lines  of  communication,  whose  chief 
weakness,  however  [sic],  lies  in  their  being  always  and  everywhere  exposed  to 
attacks  by  an  insurgent  population.”^®  This  is  especially  true  for  the  extended 
LOCs  supporting  the  operational  commander’s  theater  IT  assets.  The  insurgent 
attack  can  be  waged  in  or  out  of  theater,  and  the  attacker  need  not  be  physically 
present.  The  operational  commander  cannot  assume  that  because  his  opponent 
is  technologically  backwards  he  will  not  be  capable  of  executing  an  effective 
attack  against  IW  and  IT  assets.  Attacks  can  be  launched  with  inexpensive, 
commercially  available  equipment  and  the  talent  to  use  the  equipment  can  be 
hired  or  trained  at  similarly  low  costs. 

IT  and  IW  assets  are  also  exposed  to  risk  due  to  natural  disasters  such  as 

floods  or  lightning  storm.  The  human  factor  has  great  impact  on  the  security  of 

the  commander’s  systems.  It  can  wreak  havoc  through  simple  error,  inadequate 

doctrinal  training  (/.e..  the  misuse  of  the  IT  or  IWtool),  laziness  (leading  to  lax 

attitudes  about  security),  or  even  deliberate  sabotage  actions.  These  factors  add 

up  to  a  situation  in  which  it  is  impossible  to  eliminate  all  risk  that  accompanies 

dependence  upon  IT  and  IW  assets. 

A  Strategy  for  Risk  Management 

Because  100  percent  protection  of  information  is  not  possible 
all  of  the  time,  risk  management  rather  than  risk  avoidance  is 
necessary." 

Operational  Risk  Management  (ORM)  adopts  a  risk  versus  benefit 
philosophy  to  help  the  operational  commander  apply  the  best  level  of  controls  to 


10 


a  mission  or  operation.  The  objective  is  to  undertake  risk  with  a  solid 
understanding  of  what  one  faces,  knowing  that  risks  have  been  identified, 
assessed  and  controlled  where  possible.  It  has  been  used  successfully  to 
minimize  risk  across  a  broad  range  of  activities.  “Military  units  have  reduced  their 
mishap  rate  up  to  60  percent  by  using  operational  risk  management  (ORM).”^^ 
Naval  Warfare  Publication  1  states,  "Risk  Management  is  a  formal,  essential  tool 
of  operational  planning.  Sound  decision  making  requires  the  use  of  this  tool  both 
in  battle  and  in  training."^®  It  is  based  on  four  basic  principles^®: 

•  Know  the  risk 

•  Accept  no  unnecessary  risk 

•  Make  risk  decisions  at  the  appropriate  level  to  establish  clear 
accountability 

•  Accept  risk  when  benefits  outweigh  the  costs 

The  basic  process  is  simple.  Consider  the  mission  in  question.  Identify 
any  hazards  associated  with  each  step  of  the  mission.  Develop  means  to  control 
or  eliminate  each  hazard  for  each  step.  Identify  alternate  means  to  do  the  step  in 
the  event  it  fails  despite  efforts  to  control  its  risk.  Compare  the  risks  of  each  step 
to  the  value-added  it  contributes  to  the  mission.  Make  control  decisions  based 
on  cost-benefit  comparison.  Review  control  actions  then  rehearse  the  plan. 

This  careful  review  of  the  planned  mission  and  alternate  steps  essentially 
pre-programs  personnel  to  recognize  when  things  are  starting  to  go  awry. 
Observations  will  translate  into  recognition  and  orientation  more  quickly. 

Decisions  will  already  have  been  thought  through.  And  actions  can  be  taken 
almost  immediately.  In  a  nutshell,  ORM  sides  with  Murphy.  What  can  go  wrong, 
will  go  wrong.  One  had  better  be  ready  for  it. 
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Applying  ORM  to  IT/IW  Operational  Protection 

Developing  a  scheme  of  operational  protection  for  systems  is  not  the 
same  as  planning  a  mission.  Nonetheless,  the  dependence  on  these  assets 
makes  them  stand  out  as  mission  vulnerabilities.  ORM  principles  apply. 

Risk  Assessment 

The  first  step  in  applying  ORM  to  IT/IW  operational  protection  is  the  most 
difficult  because  of  the  wide  range  of  risks  involved  both  in  and  out  of  theater. 
Effective  hazard  identification  is  the  key  to  success.  Once  each  hazard  is 
identified,  controlling  mechanisms  can  be  put  in  place.  If  a  control  isn’t  possible, 
at  least  the  potential  for  being  surprised  will  be  reduced  as  the  process  provides 
an  education  to  recognize  attacks  (or  system  failures)  in  the  making. 

“Successful  protection  of  the  Army  battle  command  system  starts  with  an 
understanding  of  how  others  will  seek  to  degrade  or  exploit  it.’’^°  Friendly  forces 
must  evaluate  themselves  from  the  enemy’s  eyes  to  determine  the  best  estimate 
of  what  the  enemy  views  as  their  critical  assets.  Advice  for  planning  an  IW  attack 
is  to  evaluate  systems,  networks  and  facilities  as  to  their  usefulness  as  targets; 
give  them  a  level-of-effort;  and  allocate  resources  to  take  them.^^  By  shifting 
perspective,  a  sound  defensive  approach  is  realized.  Evaluate  own  systems  as 
to  their  usefulness  to  the  enemy  as  targets,  estimate  how  much  effort  he  would 
be  willing  to  make  against  them  and  allocate  resources  to  defend  them. 

Joint  effort  of  intelligence  and  IW  personnel  is  critical  to  success  in  this 
phase.  An  effective  information  assurance  strategy  calls  for  identification  of 
critical  nodes  and  links  and  an  assessment  of  an  adversary’s  capabilities  and 
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intentions. Intelligence  will  be  needed  on  potential  forms  of  attack  including 
technical  parameters,  operating  procedures,  employment  doctrine  and 
vulnerabilities  of  adversary  C2-attack  equipment  and  weapons  systems.  The 
style  and  capability  of  the  adversary’s  reconnaissance,  surveillance  and  target 
acquisition  process,  their  evaluation  of  critical  friendly  command  and  control 
nodes  and  high-value  targets,  adversary  doctrine  and  capabilities  for  the  use  of 
psychological  operations  and  military  deception  all  must  be  investigated.”^^ 
Complicating  the  intelligence  problem  is  the  fact  that  much  of  this  activity  will 
need  to  be  done  during  routine  peacetime.  The  “adversary”  won’t  be  known. 

This  information  will  be  needed  for  a  variety  of  adversary  profiles  and  for  specific 
adversaries  identified  as  “likely  suspects.” 

In  addition  to  the  risk  of  enemy  attack  within  theater,  the  ORM  process 
must  also  assess  the  risk  to  strategic  IT  assets.  The  operational  commander  will 
not  be  able  to  directly  control  actions  taken  to  defend  those  assets,  but  he  is  in  a 
position  to  minimize  his  risk  by  pressing  for  high  readiness  in  theater  as  soon  as 
possible.  For  example,  “Logistics  information  systems  tend  to  be  both  elaborate 
and  critical  to  successful  military  operations  and  yet  generally  subject  to  less 
stringent  security  measures  than  other  military  information  systems.”^  The  force 
will  be  most  threatened  by  the  vulnerability  of  logistics  systems  during 
mobilization  and  movement  into  the  theater  of  operations.  Once  in  theater  the 
commander  can  demand  quick  action  on  the  part  of  his  forces  to  ensure  supply 
requirements  are  reviewed  and  acted  on  daily.  He  can  press  for  a  local  database 
to  track  personnel  and  supplies  once  they  have  entered  the  theater.  In  the  event 
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logistics  databases  in  the  U.S.  are  attacked,  he  can  isolate  his  local  database 
and  use  it  to  maintain  accountability  of  the  logistics  assets  within  his  control. 

His  extended  LOCs  are  another  vulnerability  that  he  does  not  control,  but 
must  consider  in  his  plans.  Alternate  channels  must  be  identified  and  tested. 
Communications  and  circuit  shifts  between  options  must  be  drilled.  Peacetime 
“breakdowns”  in  the  extra-theater  LOCs  should  be  noted,  reported  and  followed 
until  they  are  resolved.  The  problem  is  so  large  that  no  one  wants  to  take 
responsibility.  The  operational  commander  must  force  the  issue. 

Consideration  of  alternate  channels  should  not  be  bounded  by  established 
options.  “Lines  of  communication  will,  of  course,  have  been  set  up  at  home,  but 
the  army  is  not  necessarily  tied  to  them;  if  need  be,  it  can  leave  them  and  use 
any  road  available.”^®  This  is  as  true  today  as  it  was  in  Clausewitz’s  time.  A 
willingness  to  leave  the  beaten  path  builds  in  a  kind  of  serendipitous  redundancy. 
Consider  that  in  1944,  during  the  Battle  of  Arnhem  the  British  First  Airborne 
Division  landed  with  the  wrong  radio  crystals  and  believed  their  communications 
were  were  cut  off.  Throughout  the  battle  the  national  telephone  system  was  fully 
functional.  Had  the  paratroopers  thought  “outside  the  box”  for  alternate 
solutions,  or  had  they  identified  this  alternative  prior  to  the  operation,  they  could 
have  easily  found  access  to  a  link  with  their  command  element.^® 

Use  of  IT  brings  on  other  common  risks.  Some  of  these  and  potential 
controls  for  them  are: 

Information  Overload  -  Information  flowing  from  echelons  above  and 
below  threaten  to  swamp  the  operational  commander  and  reduce  his  battlespace 
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awareness.  The  operational  commander  must  take  advantage  of  systems 
designed  to  help  filter  this  information  and  format  it  intelligibly.  He  must  be 
familiar  with  how  they  work  to  ensure  they  reflect  his  approach  to  data  filtering 
and  so  he  can  trust  them.  This  applies  equally  to  systems  managing  data  such 
as  message  handling  and  dissemination  systems  and  “fused  picture”  battlespace 
displays.  The  commander  must  understand  their  capabilities  and  limitations  and 
ensure  his  people  know  how  to  use  them.  Alternates  to  such  systems  are  staff 
members  who  can  be  trusted  to  provide  a  similar  filtering  mechanism  in  the  event 
of  system  failure. 

System  Overload  -  Required  information  volumes  expected  for  full 
spectrum  intelligence  analysis  in  future  conflicts  is  beyond  the  capacity  of  current 
systems.  The  increase  of  several  orders  of  magnitude  may  overwhelm  our  ability 
to  collect,  analyze,  store  and  disseminate  results.^^  As  William  James  said,  “The 
art  of  being  wise  is  the  art  of  knowing  what  to  overlook.”^®  Recognition  of  this 
must  drive  intelligence  collection  and  analysis  to  yield  information  “that  can  be 
suitably  digested  and  acted  upon."®®  It  will  also  protect  the  intelligence  staff  from 
becoming  overwhelmed. 

Communications  demands  can  also  overload  system  capacity,  especially 
in  networked  systems.  Localized  degradations  of  response  time  and  brownouts 
of  internet  service  due  to  fluxes  in  demand  have  occurred  in  the  commercial 
sector.  The  expected  surge  in  communications  requirements  that  accompanies 
crisis  action  could  yield  similar  problems  for  theater  networks.  Stress  testing 
programs  are  available  which  allow  simulations  of  live  loads  to  identify  potential 
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transmission  bottlenecks  before  a  real  crisis  takes  place.'*®  Corrective  action  in 
the  form  of  system  upgrades  or  in  procedural  restrictions  to  prevent  system 
overload  can  then  be  put  in  place  as  necessary. 

Hardware  Failure  -  Normal  wear  and  tear  causes  systems  to  fail.  The 
harsh  environment  of  deployed  settings  and  the  act  of  movement  to  the  theater 
increases  the  risk  to  hardware.  Hot  spares  and  well-trained  technicians  are  the 
best  control  for  the  risk  that  your  hardware  may  suddenly  cease  working.  Strict 
maintenance  and  test  cycles  also  minimize  risk  of  unexpected  failure. 

Interoperability  Problems  -  The  commander  cannot  anticipate  “plug  and 
play”  system  operations.  Much  of  the  initial  set-up  time  for  theater  IT  will  be 
devoted  to  wringing  out  problems  caused  by  differing  protocols  and  system 
configurations  of  the  services.  This  is  not  just  a  joint  issue.  Elements  shifting 
from  one  theater  to  another  and  reconnecting  to  same  service  systems  must 
readjust  protocols  and  procedures  because  of  stovepiped  development  and 
application.  Efforts  to  solve  this  problem  include  the  establishment  of  a  single, 
unifying  DoD  joint  technical  architecture  intended  to  drive  all  future  DoD  C4ISR 
acquisitions.'*^  This  will  help  in  the  future.  Today  the  operational  commander 
must  place  high  priority  on  securing  technical  training  for  his  systems 
administrators  and  maintainers  at  schools  of  the  various  services  to  minimize  set¬ 
up  time  and  anticipate  that  it  will  not  be  fast  or  easy. 

Doctrine  Problems  -  “In  many  cases,  the  technology  associated  with  a 
new  system  or  piece  of  equipment  is  mature  and  the  technical  risk  low,  but  we  do 
not  know  how  to  effectively  use  it,  and  so  the  operational  risk  is  high.”'*®  When 


16 


advanced  technology  is  fielded  without  ample  time  to  learn  how  it  is  operated  and 
how  it  is  employed,  the  operational  commander  invites  mistakes.  He  must  fight 
the  temptation  to  accept  every  “new  toy”  that  comes  along.  Use  of  technology 
coordination  (or  cut-off)  dates  (TCDs)  to  prevent  late  insertion  of  technology  to 
satisfy  someone  else’s  agenda  can  help  ensure  forces  train  as  they  will  fight. 

A  fruitful  way  to  verify  that  as  many  system  vulnerabilities  as  possible 
have  been  uncovered  is  to  form  “red  teams,”  aggressors  to  attack  systems  during 
planned  tests,  exercise  and  demonstrations.  Their  efforts  to  find  vulnerabilities 
and  ways  to  exploit  them  gives  a  dual  pay-off.  First,  they  enable  the 
development  of  ways  to  defend  against  similar  attacks  from  the  real  enemy  and 
second,  they  may  identify  new  ways  to  attack  the  enemy. 

Eliminate  Unnecessary  Risk 

Eliminating  unnecessary  risk  is  the  next  step  of  the  ORM  process.  A  good 
hard  look  at  procedures  and  systems  can  eliminate  risk  without  any  real  pain  in 
terms  of  effort,  resources  or  expected  outcomes.  There  are  many  “easy  outs”  in 
the  IT  world.  Examples  include  installation  of  uninterruptable  power  sources 
(UPSs)  and  back-up  generators,  ensuring  personnel  are  disciplined  about 
performing  back-ups  and  keeping  passwords  current  and  allowing  adequate  time 
for  system  maintenance.  Additional  risk  can  be  eliminated  (or  greatly  reduced) 
by  insisting  on  redundant  or  compatible  systems  whenever  possible. 

Create  enclaves  of  security  by  isolating  systems  that  do  not  absolutely 
need  to  be  tied  to  external  systems  to  support  theater  operations.  These 
“trusted"  systems  can  be  scaled  from  individual  computers  to  larger  networks. 
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Because  they  are  not  connected  to  the  outside  world,  outsiders  cannot  penetrate 
them.  Of  course,  all  data  and  software  must  be  thoroughly  validated  as  “virus 
free”  before  it  enters  the  enclave.  Development  and  installation  of  trusted 
firewalls  may  allow  a  connected  enclave,  i.e.,  one  that  is  shielded  from  the 
outside,  but  has  protected  connections  to  other  trusted  enclaves  or  limited 
connections  to  less  restrictive  networks.^® 

Make  Risk  Decisions 

Once  unnecessary  risk  has  been  eliminated,  it  is  time  for  the  tougher 
decision.  What  risk  is  inherent  in  the  mission?  Can  any  mission  elements  be 
sacrificed  for  risk  reduction?  The  key  to  these  decisions  is  that  they  must  be 
made  at  an  appropriate  level  of  command.  If  the  operational  commander 
delegates  this  decision-making  he  should,  at  a  minimum,  insist  upon  a  thorough 
brief  on  the  chosen  approach  to  acceptable  and  unacceptable  risks. 

Accept  Risk  Based  on  Benefits  and  Costs 

The  risk  decisions  themselves  will  be  driven  by  the  cost  of  eliminating  or 
decreasing  the  risk  in  terms  of  resources,  personnel  efforts,  or  interference  with 
function  and/or  mission.  If  certain  data  is  more  important,  or  a  system’s  function 
is  critical,  more  costs  are  justified.  Nonetheless,  costs  may  be  prohibitive  if  rapid 
access  and  reach-back  is  integral  to  operations. 

Planning  for  Success  —  Rational  Expectations 
Organize  for  Success 

Defensive  IW  (IW-D)  must  be  planned  as  a  system.  To  accomplish  this 
most  effectively,  a  rational  organization  combining  systems  expertise  and 
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operational  acumen  is  required.^®  “Integrated  technologies  demand  more 
integrated  organizational  support  structures... In  a  joint  environment,  the  JFC 
must  mandate  a  unified  communications/information  systems  team.”'*^  This  team 
of  experts  can  effectively  implement  the  ORM  process  with  proper  mission  focus 
complemented  by  a  real  understanding  of  systems  integration  and  vulnerability 

issues.  It  may  be  focused  on  IW-D  alone  or  both  IW-D  and  IW-0.  Most 

effectively  implemented  as  a  permanent  element,  it  should  be  led  by  the  J6 
organization  and  include  additional  duty  members  from  the  J2  and  J3  staffs. 

Additional  ORM  Benefits 

The  education  of  the  ORM  process  provides  additional  means  to  reduce 
risk.  Increased  understanding  of  how  system  attacks  may  be  launched  allows 
the  design  of  an  effective  indications  and  warning  (l&W)  profile.  This  profile  can 
help  establish  threshold  criteria  for  intelligence  collection  and  automated 
detection  agents  to  provide  alerts  as  early  in  an  attack  as  possible."^  Such  a  “trip 
wire  strategy  is  critical  given  how  quickly  damage  to  IT  assets  can  take  place.'*® 
Develop  a  Scheme  for  System  Defense 

A  final  product  of  the  ORM  process  must  be  the  operational  commander's 
scheme  for  system  defense.  A  reasonable  scheme  builds  on  Alberts’  “defense- 
in  depth  strategy.  Its  variable  information  availability  depending  upon  severity  of 
threat  fits  well  with  the  ORM  approach.  This  scheme  shifts  system  access  from 
“information  first”  to  “security  first”  with  increasing  levels  of  access  controls, 

sophistication  of  defense  and  cost.^°  Crossing  each  barrier  requires  an  IW  attack 
of  increasing  sophistication  and  cost. 
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No  scheme  of  defense  is  complete  without  a  plan  to  conduct  damage 
control.  The  IW  and  Operations  staffs  must  assume  that  an  attack  will  occur  and 
will  cause  some  damage.  With  this  in  mind,  they  must  prioritize  systems  and 
circuits  for  reconstitution.  Fall  backs  using  the  assets  of  lesser  important 
systems  and  focused  repair  efforts  must  be  automatic. 

The  final  scheme  must  be  based  on  readiness,  prevention  of  intrusions. 


user  education  and  discipline,  planned  alternates,  constant  efforts  to  detect 
insurgencies,”  a  comprehensive  damage  control  plan,  and  tightened  access 


controls  upon  indications  that  attack  may  be  imminent.  Clausewitz  sums  it  up. 

One  can  mitigate  the  situation  somewhat  by  taking  some 

bacITfrom  h  position  and  on  the  roads  that  lead 

ack  from  it,  or,  where  there  are  no  fortresses,  by  fortifvina 

treating  the  popuiation  weli,  keeping 
strict  discipline  on  military  roads,  policing  the  area  thoroug^hly 

and  constantly  keeping  the  roads  in  repair.  But  the  risks  can 
never  be  entirely  eliminated.®' 


Conclusions 


In  the  IW  arena  an  adversary  can  strike  hard  with  but  a  small  offense. 
Dependence  on  technology  makes  one  highly  vulnerable  to  attack.  The  only 
rational  answer  is  to  invest  in  a  credible  defense  to  reestablish  equilibrium 
between  the  offense  and  defense.^  To  do  so  takes  time,  money  and  personnel. 
Operational  commanders  must  exhaust  their  own  options  to  minimize  risk  and 
exposure.  It  is  impossible  to  eliminate  all  risk,  but  risk  can  be  driven  down  to  an 
acceptable  level.  By  following  a  structured  methodology  such  as  that  outlined  in 
this  paper,  the  operational  commander  increases  the  likelihood  that  he  will 
secure  his  lines  and  win  the  information  war. 
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“Crucial  Network  Imperatives  Spawn  Information  War  Peril,”  35. 

”  “Battlespace  Information:  Command  and  Control  (C2),  Operational  Intelligence  and  Systems 
Integration,”  22. 

“Crucial  Network  Imperatives  Spawn  Information  War  Peril,”  35. 

Joint  Pub  3-13.1,  1-3. 

“Report  of  the  Defense  Science  Board  Task  Force  On  Information  Warfare  -  Defense  (IW-D)” 
’^Schwartau,  13. 

“Operational  Functions,"  32. 

'''  Ibid. 

LOCs  are  typically  viewed  as  logistical  lines  allowing  movement  and  sustainment  of  forces. 
When  considering  IT  assets  and  information  flow  these  lines  can  be  taken  literally.  They  provide 
the  communications  link  from  the  national-strategic  level  through  the  operational  and  tactical 
levels  and  between  similar  levels  of  supporting  and  supported  commands.  As  the  integrity  and 
strategic  protection  of  logistics  LOCs  is  critical  to  sustaining  the  forces,  the  integrity  and  strategic 
protection  of  information  LOCs  is  critical  to  sustaining  information  flow. 

Clausewitz,  345. 

Many  sources  back  up  Schwartau’s  claim  that  the  U.S.  continues  to  be  vulnerable  to  enemy 
attack  on  our  systems,  especially  those  within  our  borders.  “That  Wild,  Wild  Cyberspace  Frontier,” 
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“Western  Infrastructures  Face  Rogue  Data  Stream  Onslaught,”  “Crucial  Network  Imperatives 
Spawn  Information  War  Peril,"  and  “No  Sheriffs  Patrol  Universal  Cyberspace  Frontier  Towns”  are 
representative  of  the  increasing  level  of  attention  the  Nil  vulnerability  is  receiving.  Although 
published  in  1994,  Schwartau’s  seminal  publication.  Information  Warfare:  Chaos  on  the  Electronic 
Superhighway  is  an  extremely  comprehensive  and  frightening  discourse  on  the  growing  threat. 

Executive  Order  on  Critical  Infrastructure  Protection. 

^  Joint  Pub  6-0,  I-3. 

Libicki,  What  is  Information  Warfare?  9-18. 

Dishong’s  detailed  analysis  is  not  an  adequate  measure  for  definitive  conclusions. 

Nonetheless,  it  does  provide  solid  support  for  intuitive  assessments  and  validates  an  approach  to 
modeling  the  impact  of  IT  on  the  commander. 

“  Clausewitz,  347. 

^  “Redundancy,  Robustness  Protect  Vital  National  Information  Links,”  38-9. 

U.S.  Navy  Safety  Center  Website,  <http;//\Arww.norfolk.navy.mii/safecen/orm.htm> 
“OPNAVINST  3500.39. 

“Operational  Risk  Management:  A  Moral  Imperative.” 

“  Blount,  14. 

Eisen,  6. 

“Redundancy,  Robustness  Protect  Vital  National  Information  Links,”  38-9. 

“  Blount,  14. 

^  Kraus,  44. 

Clausewitz,  345. 

^  Joint  Pub  3-13.1, 1-2. 

37  9 

Until  recently  a  volume  of  approximately  a  gigabyte  (10  bytes)  of  data  was  needed  to  support 

one  day’s  operational  intelligence  in  a  typical  theater-level  intelligence  center.  Today's 

12 

requirements  are  in  the  multiple  terabyte  (10  bytes)  range.  See  Black,  This  Page  Under 
Construction:  Information  Warfare  in  the  Post-Cold  War  World,  17. 

Correct  Quotes,  Version  1.0. 

Kaminsky,  ”21®'  Century  Battlefield  Dominance,”  2. 

“Overloads  Strike  Networks;  Brownouts,  Failures  Loom,”  23. 

“Redundancy,  Robustness  Protect  Vital  National  Information  Links,”  37. 
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Paige,  2. 

^  Kaminski,  “Creating  Opportunity  with  Advanced  Technology,”  1 . 

^  Robinson,  “Army  Information  Operations  Protect  Command  and  Control,”  47-8. 

Anderson  and  Hundley,  42-43. 

^  Several  authors  have  proposed  an  additional  branch  of  the  military  devoted  specifically  to  IW, 
an  Information  Corps.  Libicki  discusses  this  concept  fully  in  The  Mesh  and  the  Net,  52-69. 

“Battlespace  Information:  Command  and  Control  (C2),  Operational  Intelligence  and  Systems 
Integration,”  23. 

The  Joint  Command  and  Control  Warfare  Center  (JC2WC)  and  the  Information  Warfare 
centers  of  each  service  can  provide  excellent  guidance  on  “sniffers”  and  “snoopers"  to  identify 
any  “rogue”  activity  on  networked  systems.  These  commands  are  also  excellent  sources  of 
specialized  talent  for  systems  engineering,  operations,  and  technical  analysis  of  capabilities  and 
vulnerabilities. 

Robinson,  “Information  Warfare  Strings  Trip  Wire  Warning  Strategy,”  29. 

“Alberts,  39-41. 

Clausewitz,  347. 

“  Arquilla  and  Rondfeldt,  93. 
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